ENGAGEMENT RISK ASSESSMENT METHODOLOGY by nfj14094

VIEWS: 38 PAGES: 2

									         The University of Texas System Audit Office
         Engagement Risk Assessment Guidelines
______________________________________________________________________________

           Engagement Risk Assessment Guidelines

The System Audit Office performs a risk assessment in the planning phase of each engagement.
Risk is assessed as low, medium or high. Definitions are as follows:

     Low - There is a minimal probability that the risks identified may adversely affect the
     activity under examination.

     Medium - There is a moderate probability that the risks identified may adversely affect
     the activity under examination.

     High - It is probable that the risks identified may adversely affect the activity under
     examination.

The Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of
Internal Auditing Performance Standard 2201 – Planning Considerations require “internal
auditors to consider the significant risks to the activity, its objectives, resources, and operations
and the means by which the potential impact of risk is kept to an acceptable level”. Other
planning considerations can be obtained from The Institute of Internal Auditors’ International
Standards for the Professional Practice of Internal Auditing.

Risk assessments should consider the possible effects of risk:
 An erroneous decision from using incorrect, untimely, incomplete, or otherwise unreliable
   information.
 Erroneous record keeping, inappropriate accounting, fraudulent financial reporting, financial
   loss, and exposure.
 Failure to adequately safeguard assets.
 Customer dissatisfaction, negative publicity, and damage to the organization’s reputation.
 Failure to adhere to organizational policies, plans, and procedures, or not complying with
   relevant laws and regulations.
 Acquiring resources uneconomically or using them inefficiently or ineffectively.
 Failure to accomplish established objectives and goals for operations or programs.


Risk Assessment Process
1. Identify auditable activities - examples include:
      Policies, procedures and practices
      General ledger balances
      Information systems
      Transaction systems (sales, collection, purchasing)
      Financial statements
      Laws and regulations


Last Updated: 6/1/06
         The University of Texas System Audit Office
         Engagement Risk Assessment Guidelines
______________________________________________________________________________


2. Identify relevant risk factors - examples include:
      Management interest
      Adequacy and effectiveness of system of internal control
      Public visibility
      Organizational or operational changes
      Date and results of previous engagements
      Competence, adequacy, and integrity of personnel
      Degree of computerized information systems
      Asset size, liquidity, or transaction volume
      Complexity or volatility of activities

3. Assess relative significance - discuss the significance of various factors with the
   Engagement Manager and the Director of Audits, as appropriate, on an engagement by
   engagement basis.

4. Assess risk as low, medium or high based on the definitions above.


Alternative Risk Assessment Process
For larger, more complex engagements or engagements without a pre-defined objective, it may
be more appropriate to perform a risk assessment of the area being reviewed using Enterprise
Risk Management, which creates a risk footprint that assists in the identification of key risks.
This alternative method should be discussed with the Engagement Manager and Director of
Audits as part the understanding meeting to ensure an appropriate risk assessment for the
engagement is completed.




Last Updated: 6/1/06

								
To top